BUG/MINOR: ssl: OCSP_single_get0_status can return -1

Commit 872085ce "BUG/MINOR: ssl: ocsp response with 'revoked' status is correct"
introduce a regression. OCSP_single_get0_status can return -1 and haproxy must
generate an error in this case.
Thanks to Sander Hoentjen who have spotted the regression.

This patch should be backported in 1.7, 1.6 and 1.5 if the patch above is
backported.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bb1d6915648d498a1ca91a6f8af1866379da7ac5..2f16d2871059ed9b3796c7f435a6cc62e94f6097 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -622,7 +622,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
        id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
 
        rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-       if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+       if (rc != V_OCSP_CERTSTATUS_GOOD && rc != V_OCSP_CERTSTATUS_REVOKED) {
                memprintf(err, "OCSP single response: certificate status is unknown");
                goto out;
        }